Question KnowBe4 Ransomware Simulator

Please provide comments and solutions that are helpful to the author of this topic.
Victor M

Victor M

Level 25
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
1,420
5,217
2,369
I just tried to run KnowBe4 Ran Sim.

SAC blocked first, with an explanation.(probably geneic explanation, I haven't seen one before)
So I disabled SAC and test again.
Now Kaspsesky blocked it, with a access denied message, and nothing in detection log.
Then CyberLock popped up an allow or not dialog.

My aim is the test Kaspersky's process injection mitigation, and the plan failed. K blocks the installatiion probably with signature - the installation doesn't even begin. And it shows no explanation. The KnowBe4 Ran Sim is supposed to use several process injection methods.
 
Last edited:
  • Like
Reactions: piquiteco, Zero Knowledge, Andy Ful and 6 others
Victor M said:
I just tried to run KnowBe4 Ran Sim.

SAC blocked first, with an explanation.(probably geneic explanation, I haven't seen one before)
So I disabled SAC and test again.
Now Kaspsesky blocked it, with a access denied message, and nothing in detection log.
Then CyberLock popped up an allow or not dialog.

My aim is the test Kaspersky's process injection mitigation, and the plan failed. K blocks the installatiion probably with signature - the installation doesn't even begin. And it shows no explanation. The KnowBe4 Ran Sim is supposed to use several process injection methods.
Click to expand...
What you’re seeing is fairly typical when you run “simulator” tools: Windows and AV products often block them early (reputation/signature/risk-tool classification) before any “process injection mitigation” behavior can be observed, so the test never reaches the stages you actually want to evaluate.

Why SAC blocked it first
Smart App Control (SAC) mainly gates execution based on reputation/signing and cloud judgments. Tools like RanSim are commonly low-reputation and behave like malware (by design), so SAC may stop them even if they’re legitimate.

Why Kaspersky can deny access with no obvious detection entry
Kaspersky can block in multiple layers, and not all of them show up as a classic “malware detection” entry:

  • Application Control / Default Deny / Restrictions can block a process start and show “Access denied” without a typical signature detection name.
  • Intrusion Prevention or Exploit/behavior rules may terminate/deny actions and log under a different component than “Detections”.
  • System Watcher / ransomware protection behavior can also stop RanSim very early because it intentionally performs ransomware-like actions.

So the key point is: “nothing in detection log” doesn’t necessarily mean “no record”; it often means “it’s recorded under another report category.”

What to check inside Kaspersky (most useful first)
Without knowing your exact Kaspersky product/UI version, these are the usual places where the event is recorded:

  • Reports / Event log and then filter by components such as:
    • Application Control
    • System Watcher
    • Intrusion Prevention
    • File Anti-Virus
  • Quarantine (in case it was deleted/disinfected instantly)
  • Excluded/Trusted zone events (if it was auto-handled due to policy)

If you want to share a screenshot of the “Access denied” popup and your Kaspersky version (Standard/Plus/Premium vs KIS/KES), members can usually point to the exact component that did it.

Testing process injection mitigation safely (so the test actually runs)
If your goal is specifically to observe injection-related blocking rather than signature/reputation blocking, the practical approach is:

  • Do it in a VM (snapshot first), offline or on an isolated network. RanSim-style tools can still cause real disruption if something goes wrong.
  • Verify you downloaded the official RanSim (don’t rely on random mirrors). You can also submit the installer hash/file to VirusTotal for visibility. This won’t prove it’s safe, but it helps confirm you’re testing the expected file.
  • Temporarily create an explicit allow/exclusion for the RanSim installer and folder (only in the VM). Otherwise, Kaspersky may block at “on-access scan” before any injection attempt happens.
  • Enable/keep detailed reporting in Kaspersky so you can see which module blocks which action.

Important limitation: even with exclusions, some products still block “risk-tool / simulator” behavior via behavior rules. In that case, RanSim is simply not a good tool to isolate “process injection mitigation,” because it triggers other high-priority defenses first.

CyberLock prompt
That part makes sense: whitelisting/anti-execution tools commonly prompt rather than silently block. It also reinforces that RanSim is behaving like a threat simulator (again: expected), so layered defenses will interfere unless you carve out a controlled test policy.

Bottom line
Your plan didn’t fail because Kaspersky “has no injection mitigation,” but because RanSim is getting stopped at earlier layers (reputation/signature/application control/behavior) that prevent the injection stage from running. The next productive step is running it in an isolated VM and checking Kaspersky’s component-specific reports (especially Application Control/System Watcher/Intrusion Prevention), then only if needed using a VM-only allow/exclusion so the tool can reach the injection techniques you’re trying to evaluate.
 
  • Like
Reactions: Jack
Hi @Victor M . The issue is that Kaspersky detects the KnowBe4 simulator by its signature and blocks it before it even tries to act like ransomware. Since it’s a commercial tool, it’s designed more for user awareness than for deep EDR technical testing, which is why you aren't seeing the process injection part.

If your goal is to specifically test how Kaspersky handles code injection, you might need to use more direct testing methods in a VM, as the simulator isn't really built for that.

I’m sure other members with more technical testing experience can give you more specific examples, but I hope this helps as a starting point. It would be great to hear what results you get in your future tests! 🛡️🔍
 
  • Like
Reactions: piquiteco, Jack, Khushal and 1 other person
Victor M said:
The KnowBe4 Ran Sim is supposed to use several process injection methods.
Click to expand...

To test with KnowBe4 Ran Sim, you must whitelist the simulator. Next, it will create ransomware samples and run them. I tested it a few years ago:
Andy Ful

Battle Post in thread 'Ransomware simulator vs 10 AVs'

Andy Ful said:
If I have correctly understood, you suggest that the script was blocked by the ASR rule. But, ASR rules usually do not block scripts - they focus on blocking the suspicious actions (behavioral blocks). Could you post the alert related to this block?

I agree with the conclusion that Defender could identify not the ransomware attack but the suspicious actions of the simulator. But, this does not mean that there is no real behavioral shield - this also follows from my tests based on custom-made samples. The correct test should be done on the custom simulator that is undetected by...
Click to expand...
  • Like
  • +Reputation
 
  • +Reputation
  • Like
  • Applause
Reactions: piquiteco, Zero Knowledge, simmerskool and 3 others
I ended up disabling K antivirus and K intrusion. Then installer will install. Then I re-enabled antivirus and intrusion. I have intrusion set to ask about interprocess things. And when I ran the simulator and click Check, it quarantined the program. Best I could do, as the program is all one piece, so K could not quarantine just one checking module.

i had the Ran Sim marked as Trusted. But the Trusted catagory has the interprocess things set to Ask.
 
Last edited:
  • Like
Reactions: piquiteco, simmerskool and harlan4096
I conducted a test on MD on MAX settings and then on Default settings (the same result). First, I had to exclude in MD and in ASR rules all executables in the folder C:\KB4\Newsim.
The malware files are created in the folder c:\KB4\Newsim\DataDir\MainFolders\.
The program and the type of created samples are well known to AVs.

1772402665748.png
 
  • Like
  • +Reputation
Reactions: simmerskool, Victor M and piquiteco
Victor M said:
I just tried to run KnowBe4 Ran Sim.

SAC blocked first, with an explanation.(probably geneic explanation, I haven't seen one before)
So I disabled SAC and test again.
Now Kaspsesky blocked it, with a access denied message, and nothing in detection log.
Then CyberLock popped up an allow or not dialog.

My aim is the test Kaspersky's process injection mitigation, and the plan failed. K blocks the installatiion probably with signature - the installation doesn't even begin. And it shows no explanation. The KnowBe4 Ran Sim is supposed to use several process injection methods.
Click to expand...
You deployed three overlapping security layers (Smart App Control, Kaspersky, and CyberLock) simultaneously while attempting to evaluate Kaspersky's process injection mitigation using the KnowBe4 Ransomware Simulator. Because layered defenses block known simulator tools based on preliminary signatures and reputation checks, the simulator was terminated before it could execute its process injection routines. By failing to isolate the specific mechanism you wanted to test, you inadvertently compromised the integrity of your own test.

You should disable Smart App Control (SAC) and remove CyberLock. Testing multiple overlapping security layers simultaneously creates race conditions and diagnostic obscurity, making it impossible to determine which product intercepted the payload. To accurately assess Kaspersky’s specific behavioral and process-injection mitigations, it must be evaluated as a standalone entity in a clean, isolated environment (such as a reverted Virtual Machine).
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: harlan4096, Miravi, simmerskool and 4 others
@Victor M I downloaded the KnowBe4 Ransomware Simulator just out of curiosity. After downloading it, the Ransomware Simulator extracts the executable file from the installer. I didn't want to install it because I don't like installing applications on my laptop and desktop. Even when I clicked to run the Ransomware Simulator, it was immediately blocked by McAfee and moved to quarantine, as you can see in the screenshot below. :)
1772405895274.png


1772405936424.png
Quarantined.png
McAfee blocked SRP/Windows Hybrid Hardening Light before it could run, so I had to temporarily disable McAfee to see if it would run, and it was indeed blocked by WHHL, as you can see in the screenshot below. Since I use a SUA account, it would be almost impossible to install or run SimulatorSetup.exe, the installation file for KnowBe4 Ransomware Simulator. PS. I would like to thank @Andy Ful for creating the Hard_Configurator and Windows Hybrid Hardening Light tools. Personally, I couldn't live without them, even when using third-party antivirus software. I find Andy's tool indispensable.. ;)
1772406327902.png
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Andy Ful, Miravi, simmerskool and 2 others

You may also like...